shim 15.8: What's changed * Various CVE fixes: CVE-2023-40546 mok: fix LogError() invocation CVE-2023-40547 - avoid incorrectly trusting HTTP headers CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system CVE-2023-40549 Authenticode: verify that the signature header is in bounds. CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries * Add make infrastructure to set the NX_COMPAT flag by @vathpela in https://github.com/rhboot/shim/pull/530 * Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in https://github.com/rhboot/shim/pull/535 * Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in https://github.com/rhboot/shim/pull/537 * pe: Align section size up to page size for mem attrs by @nicholasbishop in https://github.com/rhboot/shim/pull/539 * test-sbat: Fix exit code by @vathpela in https://github.com/rhboot/shim/pull/540 * pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in https://github.com/rhboot/shim/pull/541 * CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in https://github.com/rhboot/shim/pull/546 * Don't loop forever in load_certs() with buggy firmware by @rmetrich in https://github.com/rhboot/shim/pull/547 * Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in https://github.com/rhboot/shim/pull/550 * Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in https://github.com/rhboot/shim/pull/551 * Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in https://github.com/rhboot/shim/pull/560 * pe: only process RelocDir->Size of reloc section by @mikebeaton in https://github.com/rhboot/shim/pull/562 * Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in https://github.com/rhboot/shim/pull/563 * Optionally allow to keep shim protocol installed by @bluca in https://github.com/rhboot/shim/pull/565 * SBAT-related documents formatting and spelling by @aronowski in https://github.com/rhboot/shim/pull/566 * Add SbatLevel_Variable.txt to document the various revocations by @jsetje in https://github.com/rhboot/shim/pull/569 * Add a security contact email address in README.md by @vathpela in https://github.com/rhboot/shim/pull/572 * Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in https://github.com/rhboot/shim/pull/576 * mok: fix LogError() invocation by @vathpela in https://github.com/rhboot/shim/pull/577 * Minor housekeeping by @vathpela in https://github.com/rhboot/shim/pull/578 * Test ImageAddress() by @vathpela in https://github.com/rhboot/shim/pull/579 * FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in https://github.com/rhboot/shim/pull/580 * Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in https://github.com/rhboot/shim/pull/581 * Verify signature before verifying sbat levels by @jsetje in https://github.com/rhboot/shim/pull/583 * Add libFuzzer support for csv.c and sbat.c by @vathpela in https://github.com/rhboot/shim/pull/584 * mok: Avoid underflow in maximum variable size calculation by @alpernebbi in https://github.com/rhboot/shim/pull/587 * Housekeeping by @vathpela in https://github.com/rhboot/shim/pull/605 Signed-off-by: Peter Jones <pjones@redhat.com>